How to leverage rep:glob ACEs to manage permissions on multi-tenant systems

Objective

Our AEM instance has multiple tenants (e.g. different departments that shouldn't be able to access each other's sites and/or assets), how do we manage the permissions so that the tenants cannot view each other's content.

Environment

AEM 6.x.

Steps

To simplify managing permissions in a multi-tenant system, you can leverage rep:glob type ACLs. These permissions allow you to grant users access only to what you want them to see versus having to use deny permissions. They are defined with path patterns instead of being tied to the nodes they belong to.

To demonstrate how this is done, we will assume that we are securing a system where you have /content/siteA, /content/siteB, and /content/siteC and you want to secure it so users of siteA cannot view siteB or siteC, users of siteB cannot view A or C and C cannot view B or A.

A. Create a group for each site

The first step is to create a common group and a group for each site's users. For example, common-authors, siteA-authors, siteB-authors, siteC-authors. Use the user administration UI to add the groups.

B. Grant the common-authors group read access to the /content like this:

Go to http://host:port/crx/de/index.jsp and log in as admin.

Browse to and select the node /content.

In the bottom right panel select the Access Control tab.

Click the green plus icon to the right to add a new Access Control Policy (the policy already exists if you already see access control entries listed - in that case go on to the next)

Click the green plus icon that shows up after that to add a new Access Control Entry.

Enter the Principal of the common user group common-authors.

Select Allow for the Type.

Enable the checkbox for jcr:read.

Expand Advanced, under rep:glob enter double quotes "".

Add two more Access Control Entry items for the samewith these settings:

Type

Permissions

rep:glob

Allow

jcr:read

/jcr:primaryType

Allow

jcr:read

/:childOrder

Click OK.

C. Add access to modify the desired branch of experience fragments without being able to delete them.

Now, also using CRXDe, go to the desired sub-path under /content/siteX, for example /content/siteA.

In the bottom right panel select the Access Control tab

Click the green plus icon to the right to add a new Access Control Policy (the policy already exists if you already see access control entries listed - in that case go on to the next step)

Click the green plus icon again to add another Access Control Policy

Enter the group id of the site as the Principal.

Select Allow for the Type.

Expand Advanced and enable the checkbox for the various permissions you would like to grant for full edit access, then enable jcr:read, jcr:addChildNodes, jcr:nodeTypeManagement, jcr:modifyProperties, jcr:versionManagement, jcr:lockManagement, jcr:removeNode, jcr:removeChildNodesStep text.